b"  OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n           EVALUATION OF THE\nU.S. INTERNATIONAL TRADE COMMISSION'S\nFISCAL YEAR 2004 INFORMATION SECURITY\n         PROGRAM AND PRACTICES\n\n\n\n            AUDIT REPORT\n             OIG-AR-OI-05\n\n\n\n\n                               October 6, 2004\n\x0c      INSPECTOR GENERAL\n\n\n                                                          IG-BB-020\n\n\n\n\n      UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                              WASHINGTON. D.C. 20436\n\nOctober 6, 2004\n\nMEMORANDUM\n\nTO:     THE COMMISSION\n\nWe hereby submit Audit Report No. OIG-AR-OI-05, Evaluation ofthe us. International\nTrade Commission's Fiscal Year 2004 Information Security Program and Practices. We\nconducted an independent evaluation ofthe Commission's information security program\nand practices to determine if the Commission: (I) implemented appropriate actions to\naddress recommendations made in OIG-AR-03-03 (September 22, 2003); and (2) met\nFederal Information Security Management Act criteria.\n\nThe Commission has made significant progress in strengthening its information security\nprogram plan during the 2004 fiscal year (FY). The most commendable\naccomplishments include:\n\n   ./ Designing and implementing System Security Plans for Commission-owned\n      major applications, notably: EDIS, ITC Net, Publishing Network, Custom Net\n      Import File, Core WebServices and Data Web Cluster;\n\n   ./ Working towards completing a Commission-wide risk assessment as well as\n      application-specific risk assessments; and\n\n   ./ Installing and implementing a new local area network infrastructure (lTC-Net)\n      that was designed to address most of the FY 2003 access control related\n      recommendations.\n\nThe Commission must however take further action in order to achieve consistency with\nU.S. Office of Management and Budget (OMB) Circular A-130, Appendix III Security of\nFederal Automated Information Resources (February, 1996). We made 14\nrecommendations to improve the Commission's IT security. In addition to the 13\nrecommendations from OIG-AR-03-03 (September 22,2003), this report identifies I new\nweakness. The Commission concurred with our findings and recommendations.\n\x0cDue to the sensitive nature of the information contained in our report, we have limited\ndistribution of the report.\n\x0c"